Opencart online shop hacked

[Feet Warmer]

Never thought this would happen to me (probably everyone thinks the same).

A customer rang to say she couldn't make payment with either PayPal or Stripe, so I did a mock purchase. The PayPal page showed FathurFreakz as the heading and couldn't process the payment. I googled this phrase and some posts mentioned it. My opencart website was hacked!

I contacted Vidahost and restored my website to an earlier version. After I logged in, I found several new admin users in this name. Delete them. Then I saw my PayPal plugin was setting up a hacker's account. Uninstall.

However, to my shock, using any username or password (such as 1 and 1) can access the back office. My admin URL is domain/myownURL/, not /admin/, but I wonder what codes the hacker has changed to make any combination of username or password can gain access?

Still waiting for Vidahost to offer some help. Is there anybody who knows about this issue? Do you offer any professional service to make my Opencart more secure? Thank you.

 

[ryedale]

What version are you running ? 1 or 2?

Was it up to date?

You'll need to download a copy of the site and check the file dates to find all the files that have been recently modified.

Send me a PM if you want and I'll be happy to take a look for you.

 

[Feet Warmer]

I'm using Opencart 1.5.6.4. The reason for using this instead of Version 2 is because the theme I use is only compatible to 1.5.6.

Thank you, Ryedale. I'll take a look at the files via FTP. If I can't find anything, I'll contact you via PM.

 

[ryedale]

No problem, make sure you scan all files as hackers will often dump uploaded scripts deep inside folder paths to try and avoid being picked up

Make sure all your extensions are up to date where possible and check any older ones for known vulnerabilities

You can also lock down the admin directory to your IP

 

[antp__]

Could have been an SQL Injection attack. This is generally what used to cause the any username and password issue. (Not just opencart). If an exploit found in Opencart for instance, and SQL Injection attack can allow hackers to pull certain information from the database. And as above, beware of any files they may have uploaded (RFI hacking techniqes).

With the increase number of people I see regarding Opencart hacking, and PayPal bugs (allowing customers to enter how much they wish to pay), i'm a little skeptical now about redesigning my site using it.

 

[ryedale]

Just been working through the site for her.. found the hack files okay (backdoor scripts) and removed then

Couldn't find any other changed files in the same date range as the hacked files but any user can still login to the back end with any password even though only admin user in db.. Guessing hacker must have modified the date on the core modified files to avoid detection

I've locked the admin folder down with htaccess for now. Will make a replica of the site tomorrow and copy over default Opencart installation files for that version tomorrow and see if admin verification login starts working again.

 

[Feet Warmer]

I think I'm going to cry in a second, so won't write more. But I really appreciate your guys help.

 

[antp__]

Glad @ryedale is sorting this. But still as above, i'm now so skeptical about revamping my website using OpenCart.

@Feet Warmer - Don't. I know it's heartbreaking after all the work you have put in. But the main thing is Vidahost were able to upload an older update and it is now being sorted.

Where did all the White Hat Hackers go? Find a vulnerability and let the host or opensource software know. Now, they just seem to want to deface a website for fun. What do they get out of it really.

 

[ryedale]

To be honest, any open source software, be it Opencart, Joomla, Wordpress or any other is at risk of getting hacked if not patched and on a properly set up server. Opencart is no more risk than any of the others.

If you keep it up to date and take sensible precautions like locking down the admin folder, renaming the admin username and having a strong password, then the risk is kept low

 

[antp__]

@ryedale, my previous message came across a little hasty. Of course I appreciate any opensource or even paid self hosted solution will have their risks.

It just makes me think, the money I pay each month for a hosted solution could in fact work out the same when going for a self-hosted solution. As I wouldn't have the time to keep updating modules and OpenCart itself.

 

[antropy]

Glad @ryedale is sorting this. But still as above, i'm now so skeptical about revamping my website using OpenCart.

It's probably the hosting rather than OpenCart that was hacked.

To be honest, any open source software ... is at risk of getting hacked if not patched and on a properly set up server

As is closed source:
https://en.wikipedia.org/wiki/Open-source_software_security

Could have been an SQL Injection attack.

Unlikely seeing as files were edited and all database input in OpenCart is sanitized.

Most likely way in, in my opinion, would be through a weak FTP password.

 

[Feet Warmer]

Many thanks for helping me analyse this issue. Mark has managed to sort this out. Very grateful for all your input. Will move to a more secure hosting service.

 

[Spock]

Use www.sucuri.net to clean and protect your site - $99 a year for peace of mind.